| Message ID | 20240412200217.23419-1-bethany.jamison@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-52530 | expand |
On 4/12/24 2:02 PM, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: wifi: > mac80211: fix potential key use-after-free When ieee80211_key_link() is > called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection > (identical key reinstall), ieee80211_gtk_rekey_add() will still return a > pointer into the key, in a potential use-after-free. This normally doesn't > happen since it's only called by iwlwifi in case of WoWLAN rekey offload > which has its own KRACK protection, but still better to fix, do that by > returning an error code and converting that to success on the cfg80211 > boundary only, leaving the error for bad callers of > ieee80211_gtk_rekey_add(). > > [Fix] > > Mantic: pending > Jammy: Backport - contect conflict with neighboring line that didn't seem > to affect the fix change so I implemented the fix change directly > Focal: J patch applied cleanly. > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use the mac80211 framework, an issue with this > fix would be visable via unpredicted system behavior or a system crash. > > Johannes Berg (1): > wifi: mac80211: fix potential key use-after-free > > net/mac80211/cfg.c | 3 +++ > net/mac80211/key.c | 2 +- > 2 files changed, 4 insertions(+), 1 deletion(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 12/04/2024 22:02, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: wifi: > mac80211: fix potential key use-after-free When ieee80211_key_link() is > called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection > (identical key reinstall), ieee80211_gtk_rekey_add() will still return a > pointer into the key, in a potential use-after-free. This normally doesn't > happen since it's only called by iwlwifi in case of WoWLAN rekey offload > which has its own KRACK protection, but still better to fix, do that by > returning an error code and converting that to success on the cfg80211 > boundary only, leaving the error for bad callers of > ieee80211_gtk_rekey_add(). > > [Fix] > > Mantic: pending > Jammy: Backport - contect conflict with neighboring line that didn't seem > to affect the fix change so I implemented the fix change directly > Focal: J patch applied cleanly. > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use the mac80211 framework, an issue with this > fix would be visable via unpredicted system behavior or a system crash. > > Johannes Berg (1): > wifi: mac80211: fix potential key use-after-free > > net/mac80211/cfg.c | 3 +++ > net/mac80211/key.c | 2 +- > 2 files changed, 4 insertions(+), 1 deletion(-) > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 24/04/12 03:02PM, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: wifi: > mac80211: fix potential key use-after-free When ieee80211_key_link() is > called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection > (identical key reinstall), ieee80211_gtk_rekey_add() will still return a > pointer into the key, in a potential use-after-free. This normally doesn't > happen since it's only called by iwlwifi in case of WoWLAN rekey offload > which has its own KRACK protection, but still better to fix, do that by > returning an error code and converting that to success on the cfg80211 > boundary only, leaving the error for bad callers of > ieee80211_gtk_rekey_add(). > > [Fix] > > Mantic: pending > Jammy: Backport - contect conflict with neighboring line that didn't seem > to affect the fix change so I implemented the fix change directly > Focal: J patch applied cleanly. > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use the mac80211 framework, an issue with this > fix would be visable via unpredicted system behavior or a system crash. > > Johannes Berg (1): > wifi: mac80211: fix potential key use-after-free > > net/mac80211/cfg.c | 3 +++ > net/mac80211/key.c | 2 +- > 2 files changed, 4 insertions(+), 1 deletion(-) Acked-by: Andrei Gherzan <andrei.gherzan@canonical.com>
On 12/04/2024 22:02, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: wifi: > mac80211: fix potential key use-after-free When ieee80211_key_link() is > called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection > (identical key reinstall), ieee80211_gtk_rekey_add() will still return a > pointer into the key, in a potential use-after-free. This normally doesn't > happen since it's only called by iwlwifi in case of WoWLAN rekey offload > which has its own KRACK protection, but still better to fix, do that by > returning an error code and converting that to success on the cfg80211 > boundary only, leaving the error for bad callers of > ieee80211_gtk_rekey_add(). > > [Fix] > > Mantic: pending > Jammy: Backport - contect conflict with neighboring line that didn't seem > to affect the fix change so I implemented the fix change directly > Focal: J patch applied cleanly. > Bionic: fix sent to esm ML > Xenial: fix sent to esm ML > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use the mac80211 framework, an issue with this > fix would be visable via unpredicted system behavior or a system crash. > > Johannes Berg (1): > wifi: mac80211: fix potential key use-after-free > > net/mac80211/cfg.c | 3 +++ > net/mac80211/key.c | 2 +- > 2 files changed, 4 insertions(+), 1 deletion(-) > Applied to jammy, focal master-next branches. Thanks!